Running crowdsec as non-root user in Docker?

crowdsec
1

Hi everyone,

I am new to crowdsec and I have set up crowdsec using the Docker container from here in my home lab:
https://hub.docker.com/r/crowdsecurity/crowdsec

The container seems to running as root by default. Is it possible to run it with a non-root user? I tried it, and it worked quite well for the most part, but I get e.g. this error on every startup:

crowdsec  | time="2024-09-18T21:08:17+02:00" level=error msg="unable to open GeoLite2-City.mmdb : open /var/lib/crowdsec/data/GeoLite2-City.mmdb: permission denied"
crowdsec  | time="2024-09-18T21:08:17+02:00" level=warning msg="unable to initialize GeoIP: open /var/lib/crowdsec/data/GeoLite2-City.mmdb: permission denied"

I think the reason is that this directory and its files are only accessible by root user and root group:

f5fb83303192:/$ ls -la /staging/var/lib/crowdsec/data/
total 70504
drwxr-xr-x    3 root     root          4096 Sep 12 11:39 .
drwxr-xr-x    1 root     root          4096 Sep 12 11:39 ..
-rw-------    1 root     root       8404553 Sep 12 11:39 GeoLite2-ASN.mmdb
-rw-------    1 root     root      63771586 Sep 12 11:39 GeoLite2-City.mmdb
drwx------    2 root     root          4096 Sep 12 11:39 trace

This directoy is created here in the Dockerfile:

I can change manually the permissions in the running container which seems to work, and I guess, I could also patch the Dockerfile myself to adapt the permissions.

I am surprised I could not find any information online about running crowdsec as non-root user but maybe I had bad luck when searching. Is there an official way to do this? Or is it generally not advised to do so?

Thanks in advance for help!

2

I’m running crowdsec as cusom user:

  crowdsec:
    image: docker.io/crowdsecurity/crowdsec:${CROWDSEC_VERSION}
    container_name: crowdsec
    restart: unless-stopped
    user: "1999:1999"

this works in general but you need to care about all the directories and create the manually as the limited user can not create it himself (in my case)

3

@isdnfan, how do you cope with the contents of /var/lib/crowdsec/data/

crowdsec  | time=“2025-09-15T07:01:01Z” level=error msg=“open /var/lib/crowdsec/data/rdns_seo_bots.txt: permission denied”
crowdsec  | time=“2025-09-15T07:01:01Z” level=error msg=“open /var/lib/crowdsec/data/rdns_seo_bots.regex: permission denied”
crowdsec  | time=“2025-09-15T07:01:01Z” level=error msg=“open /var/lib/crowdsec/data/ip_seo_bots.txt: permission denied”
4

nothing special, you create the directory in advance, chown to right UID and mount into the container

# ls -aln ./crowdsec
drwxr-xr-x  2 1999 1999 4096 Nov 14  2024 acquis.d
drwxr-xr-x 14 1999 1999 4096 May  5 10:02 config
drwxr-xr-x  2 1999 1999 4096 Aug 31 16:30 db
-rw-r--r--  1 1999  995  687 Feb 23  2025 _my-ip-whitelist.yml
-rw-------  1 1999  995 1651 Sep  6 22:28 _my-nextcloud-whitelist.yml

# compose.yml
    volumes:
      - ./crowdsec/config/:/etc/crowdsec/
      - ./crowdsec/db/:/var/lib/crowdsec/data/
      - ./crowdsec/acquis.d/:/etc/crowdsec/acquis.d/:ro
      # map whole directory to make logrotate work
      - ./log/:/var/log/traefik/:ro
      - ./crowdsec/_my-nextcloud-whitelist.yml:/etc/crowdsec/parsers/s02-enrich/my-nextcloud-whitelist.yaml:ro
      - ./crowdsec/_my-ip-whitelist.yml:/etc/crowdsec/parsers/s02-enrich/_my-ip-whitelist.yml
5

But then it’ll initially be empty, won’t it? From what I see there are some default files in it, which are symlinked then.